Secure Coding mailing list archives
Re: Java DOS
From: "Kevin W. Wall" <kevin.w.wall () gmail com>
Date: Tue, 15 Feb 2011 21:43:32 -0500
On 02/15/2011 11:38 AM, Jim Manico wrote: [snip[
Ryan Barnett just spit out a new (impressive) mod security rule so you can tactically patch without touching code (see below).
[snip]
First step is to inspect the ARGS and REQUEST_HEADERS data using a regex to match on potential floating point payloads - SecRule ARGS|REQUEST_HEADERS "[0-9\.]{12,}e-[0-9]{3,}" "phase:2,t:none,t:lowercase,nolog,pass,exec:/usr/local/apache/conf/modsec_c urrent/base_rules/FloatingPointDoSAttack.lua" If a payload is found that matches the regex check, ModSecurity will execute an external Lua script. The lua script then extracts out payloads, strips out the "." and then searches for the MagicDoSNumber. If this is found, then a TX variable is exported -
Great idea, but the regex still needs work. For instance, one needn't even use scientific notation at all, unless there is some other mod_security rule restricting the overall length of an HTTP request header. E.g., Accept-Language: en-us; q=0.000000000...00022250738585072012 where I've omitted the appropriate # of zeros for the sake of readability. Similarly, one could also write the quality metric using 'e-90' or 'e-3' or whatever; even 'e+2' if I wanted. But the approach is correct; only the regex needs work unless there's some other mod_security rule that would catch these things. -kevin -- Kevin W. Wall "The most likely way for the world to be destroyed, most experts agree, is by accident. That's where we come in; we're computer professionals. We cause accidents." -- Nathaniel Borenstein, co-creator of MIME _______________________________________________ Secure Coding mailing list (SC-L) SC-L () securecoding org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates _______________________________________________
Current thread:
- Re: Java DOS, (continued)
- Re: Java DOS Wall, Kevin (Feb 14)
- Re: Java DOS Chris Schmidt (Feb 15)
- Re: Java DOS Wall, Kevin (Feb 15)
- Re: Java DOS Wall, Kevin (Feb 15)
- Re: Java DOS Shanahan Pete (Feb 15)
- Re: Java DOS Chris Schmidt (Feb 15)
- Re: Java DOS Shanahan Pete (Feb 15)
- Re: Java DOS Chris Schmidt (Feb 15)
- Re: Java DOS Kevin W. Wall (Feb 16)
- Re: Java DOS Jim Manico (Feb 15)
- Re: Java DOS Kevin W. Wall (Feb 16)